(EN) Article 38 describes the specifics of the position of the Data Protection Officer (DPO). In particular, the emphasis is on the fact that DPO performs its work independently, while the responsibility for their timely and quality performance lies partly with the company itself (the controller or processor). Therefore, the text emphasizes that the company provides DPO with the necessary resources and access on the one hand, and is responsible for the independence of the DPO, not having the right to give them any instructions on the other.

In order to provide DPO with support, the company is recommended to ensure the following:

• DPO is actively and timely involved in all data protection issues; DPO is invited to participate regularly in senior and middle management meetings when decisions with data protection implications are being made

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.

Here is the relevant paragraph to article 38 GDPR:

6.3.1.1 Information security roles and responsibilities

Implementation guidance

The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).